SSH Proxy Jump
So in my current job it happen that I have to support multiple environments using Ansible. All the environments are using different network addresses and are not direct accessible from the internet without going through the bastion server or connect to the VPN.
In this case, I have found SSH's proxy feature be very useful. I also noticed for OpenSSH 7.3 and later, with ProxyJump it is even easier to get the proxy setup correctly.
Here is an example of the break down of my use case:
Scenario
In this case, I have 4 servers in two networks. jumpbox is the only server in its network that is able to establish ssh session with bastion A . bastion A and demo A are able to talk to each other. And now we need to make admin server to connect to demo A to make ansible able to provision demo A.
| Server | Network | Access | IP |
|---|---|---|---|
| jumpbox | alpha | Network alpha, bastion A, internet | 10.10.10.10 |
| admin server | alpha | Network alpha | 10.10.10.20 |
| bastion A | beta | Network beta, internet | 20.20.20.10 |
| demo A | beta | Network beta | 20.20.20.20 |
Config SSH client
On admin server modify the ssh config file to setup the ssh proxy.
~/.ssh/config:
# Include config files in config.d directory
Include config.d/*
...
Host jumpbox
User john
Hostname x.x.x.x
...
Create a directory config.d and add a file for network beta and network alpha:
mkdir -p ~/.ssh/config.d
touch ~/.ssh/config.d/beta
touch ~/.ssh/config.d/alpha
Edit the beta file and add demo A and bastion A in it.
~/.ssh/config.d/beta:
Host demo-A
User john
ProxyJump bastion-A
Hostname 20.20.20.20
Host bastion-A
User john
ProxyJump jumpbox
Hostname 20.20.20.10~/.ssh/config.d/alpha:
Host jumpbox
User john
Hostname 10.10.10.10Connect
Now run ssh demo-A, you should be able to connect to it.
Note: You will be ask for credentials on all the servers you are jumping through.
If you see error message like the following:
channel 0: open failed: administratively prohibited: open failed
This is because the sshd service doesn't allow Agent Forwarding. To resolve this, you will need sudo access to do so.
Config SSH server
On jumpbox, bastion A and demo A, make sure the sshd_config files have AllowAgentForwarding set to yes.
/etc/ssh/sshd_config:
...
AllowAgentForwarding yesRemember to restart the sshd service after you change the setting.